[SOLVED] edit packets before forwarding in a linux router

kikilinux · 04-08-2014, 02:30 AM

Hi
I have a linux box which i have installed a bird router on it.
My linux box acts as a router now.
I need to edit the packets before forwarding, specifically editing Identification field of IPv4 packet for IP traceback purposes.
how can i perform this ?
any suggestion would be greatly appreciated.

best

nini09 · 04-08-2014, 03:30 PM

You can add a hook in netfilter.

kikilinux · 04-09-2014, 04:24 AM

Dear nini09
Very thanks to answer but can you explain more and how (a little more help) ?
Can I add this functionality to the existing hook in Netfilter or it is better to add another hook in Netfilter?
If u don't have time to explain more i will solve my problem alone.

best

kikilinux · 04-09-2014, 04:42 AM

Hi again
I found this function at http://www.cs.fsu.edu/~baker/devices...inetpeer.h#L42 website :
static inline __u16 inet_getid(struct inet_peer *p, int more)
Is it logical to modify this function to create our custom IP ID field?

best

nini09 · 04-09-2014, 02:51 PM

Following link is good example.
http://fcns.eu/2010/02/15/netfilter-hooks/

kikilinux · 04-11-2014, 06:00 AM

Dear nini09
Maybe this is the last question on this thread.
If i choose netfilter hook to edit IP ID does it has the minimum effect on router performance?
Does it exist another way to perform the similar work with lesser performance effects than netfilter hook?

best

nini09 · 04-11-2014, 02:36 PM

If the NIC support checksum offload, effect should be very tiny. But if no checksum offload support on the NIC, it could affect performance because checksum has be calculate checksum again after IP id is changed.

kikilinux · 04-13-2014, 12:57 PM

but every router has to decrease TTL and recalculate checksum ...

nini09 · 04-14-2014, 02:32 PM

Yes, the checksum is recalculated after TTL is decreased. It is expensive action and can be avoided.
If you can trace kernel code to find out where the TTL is modified and adding your hook before TTL is changed, your recalculation can be avoided.

kikilinux · 04-14-2014, 03:17 PM

Dear nini09
Because in routers the packets must be forwarded and not Destined to router itself can i use my netfilter hook
in :
"ip_forward.c" file
in :
"int ip_forward(struct sk_buff *skb)" function
right before bellow line ??
return NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, rt->u.dst.dev,ip_forward_finish);

nini09 · 04-15-2014, 02:36 PM

Yes, you can do like that.

kikilinux · 05-12-2014, 02:10 AM

Hi again
I have this code which i have access to every field of ip header except option field.
how can i access to option field or create option field and append it to ip header ?

static unsigned int hook_func(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct iphdr *ip_header;
struct tcphdr *tcp_header;

ip_header = ip_hdr(skb);

//ip_header = (struct iphdr *)skb_network_header(skb);
skb_set_transport_header(skb, ip_header->ihl * 4);
tcp_header = (struct tcphdr *)skb_transport_header(skb);

return NF_ACCEPT;
}

nini09 · 05-12-2014, 02:26 PM

It is easy to access IP option field if ip header is got. IP option is after IP header, just shifting 20 bytes.
It is difficult to create a new option. The IP and MAC header have to be shifted at first and then a new option can be added.